dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
6803

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

Audio spam - How is it getting in?

This is a new one on me folks.

I just fired up BBR with IE and was browsing my favorite forums and what I can best describe as an audio spam started playing.

It was a poor quality recording so it's hard for me to be sure what it was advertising, but it sounded like some kind of movie coming this holiday season.

Hell, it just played again. Elf, rated PG.

I'm running nod32. I've done a full scan. All my ports are stealth-ed. I use OE6 but don't ever have the preview window enabled and I always shift-delete any messages I don't recognize.

Has anyone else experienced the audio spam I'm getting? And does anyone have a clue how it got in to my system?

TIA

--jeff

edit: More info...I found the files that's being played and found it somehow rode in on AIM. If I close AIM in the middle of the sound bite, it stops it.

The 3 files are:
aim_ELFInc.js
elAUD.eye
elf350.eye

[text was edited by author 2003-10-29 14:52:34]
LowWaterMark
Premium Member
join:2002-05-16
Wallingford, CT

LowWaterMark

Premium Member

You're saying you think it's from BBR/DSLR? I suppose someone could be fooling around with embedding a script to call a flash object (one that's just sound) or somehow linking some other type of sound file. Do you know exactly what threads you were in? If it is from here, you may be able to locate it. Otherwise, might you have other spyware installed? You could scan with either/both Ad-Aware or Spybot S&D.

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

I thought it might've been for a minute, but I now realize it was just a coincidence that it happened shortly after I fired up BBR.

Sorry if I gave anyone the impression that BBR was in any way involved.

panth1
The Coyote
join:2000-12-11
Port Saint Lucie, FL

panth1 to jefe

Member

to jefe
I just got this not 5 minutes ago and came to this forum :P

My friend said he got this yesterday and I was like wtf you talking about and now it just happend.

I'm running DeadAIM and it was "downloaded" by one of my friends so I wonder if some hacked it to include this.

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

I'm running DeadAim V4 also. One other thing, I just got a notification from JDennis that V4.1 was available. I went to their web site to get it and I wonder if that's where the culprit files could've come from?

(I didn't get DeadAIM 4.1 because they want me to give them my friggin' birthday to register with them. I oppose giving out that info for a casual registration on principle, but that's another thread....)
halc
join:2003-03-17
swe

halc to jefe

Member

to jefe
I'm not sure I understand you, but playing an embedded background sound without user control is one of the very basic features of Internet Explorer (and many other browsers).

Or did you mean something completely else?

I block all automatic video/sound embed links using Proxomitron web filter.
Daemon
Premium Member
join:2003-06-29
Washington, DC

Daemon to jefe

Premium Member

to jefe
Unfortunately, AOL has started spaming AIM users with audio ads. At the same time, DeadAIM only hides the ads.

What is happening is that the ad is playing, but DeadAIM has made it invisible.

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe to halc

Premium Member

to halc
I have all those features disabled in IE too.

It took a little while before I found that closing AIM would stop the audio file from playing.

AIM is big on advertising banners, which DeadAim blocks. I wonder if that Java script and the files associated with it were just a new way of AIM pushing advertisements?

The issue hasn't resurfaced since I found and deleted the 3 files I mentioned above, which were in \Documents and Settings\user-me\Local Settings\Temporary Internet Files. (XP Pro)
jefe

jefe to Daemon

Premium Member

to Daemon
said by Daemon:
Unfortunately, AOL has started spaming AIM users with audio ads. At the same time, DeadAIM only hides the ads.

What is happening is that the ad is playing, but DeadAIM has made it invisible.

Yep...that's just the conclusion I came to.

Maybe JDennis will find a way to let you select blocking the audio ads as well. Or maybe it's just time to find another IM client and service.
Daemon
Premium Member
join:2003-06-29
Washington, DC

Daemon

Premium Member

it's simple enough to monitor your connections via netstat and the add the AOL ad server to your host file so that it loops back to localhost.

This also keeps AOL from downloading any ads normally, but deadaim has the additional benefit of hiding the space where the ad normally goes.

-Ryan

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

Do you happen to know that the IP or URL is of the AOL ad server?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to jefe

Premium Member

to jefe
Hmmmm, I wonder if that is only happening on newer versions of AIM? I am running 4.7.2480 and have not had the problem.

However, if you would like to continue using the AIM service and want to use a different client, Trillian works very well with AIM (and it has no ads or spyware). They have a free Basic Version and a paid Pro Version - both very popular with some of our members here. You can use Trillian with your existing AIM screen names and you can transfer your buddy list, if you have saved it from AIM. Trillian will also allow you to use other chat clients like ICQ and Yahoo, MSN, and IRC
»www.ceruleanstudios.com

I wrote a tutorial in another forum that might help if you decide to try it:)
How to Set up & Use Trillian with AIM
»forum.gladiator-antiviru ··· pic=5116

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

I used Trillian for a while CJ. I didn't like it as well as the native AIM client. I can't remember why...it's been a year or so.

I'm going to work trying to block the ad server before I give up on AIM.

Tnx.

--jeff

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

Yep, I prefer the AIM client too. For now, I think I am safe from the elf with my older version

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

Click for full size
So it's back...with more files than before. The screen grab shows the files in my temp folder.

Can anyone suggest what URL I should block, and the exact syntax to use in hosts?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to jefe

Premium Member

to jefe
This is soooooo not good.

I found this on google but could only get the cached link to show the news story (so if this link doesn't work - just google for AOL audio ads)

AOL Tests TV Ads in AIM
quote:
Users also will be able to stop, rewind, and replay the spots at will, Bernstein said

"The user is going to be in control," he added. "That goes back to us being very careful with our users and wanting to make it a great experience, so we've taken some safeguards -- if a user wants to stop it, they can stop it, if they want to replay it, they can."

However, they won't be able to control an ad's initial use of sound -- instead, that will be initiated by the ad server.
Sounds Ads...seems to be a growing trend Related story here:
»www.wired.com/news/ebiz/ ··· ,00.html

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

Right. Just what we need. More ads blaring at us.

If I can't find a way to block that noise I will for sure dump AIM and find another way to IM. Not that AOL is losing any sleep over the possibility of losing me.

Epyon9283
Premium Member
join:2001-12-26
Trenton, NJ

Epyon9283 to jefe

Premium Member

to jefe
Just use a different AIM client like Trillian or Gaim. They don't have any ads.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to jefe

Premium Member

to jefe
Extension: EYE
Program and/or Extension Function Company
Eyeris Encoded Audio/Video File Eyewonder, Inc.
Specific Notes
Eyeris is the backbone of EyeWonder's technology, an encoding algorithm that supports Web, E-mail and wireless environments from narrowband up. EyeWonder is Java-based streaming media technology. The procedure for all EyeWonder audio/video files begins with the encoding (compressing) process via the Eyeris technology into .EYE files.

»www.eyewonder.com/
Daemon
Premium Member
join:2003-06-29
Washington, DC

Daemon to jefe

Premium Member

to jefe
from the firewall logs i keep, i'd host out

aim-charts.pf.aol.com
www.aim.com
aim.aol.com
ar.alwola.com

for the specific ad I'd block
www.empiremovies.com
xlonhcld.xlontech.net (which is where the player is coming from)

also, you can try uninstalling viewpoint media player from add/remove (aim installs it automatically)

AIM connect to AIM.com and then is redirected to a different site, which i think is the atwola site.

Jan Janowski
Premium Member
join:2000-06-18
Waynesville, NC

Jan Janowski to jefe

Premium Member

to jefe
betcha it is coming in via somekind of messinger.

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe to Daemon

Premium Member

to Daemon
ryi...

I think aim.com, aim.aol.com, and ar. alwolda.com, are all servers used for the basic AIM functionality.

I looked at xlontech.net and it doesn't seem like this kind of crap is their forte, but I will hosts it and empire.com out.

Good find about viewpoint media player. I've uninstalled it and maybe that alone is enough?

Thanks for the suggestions.

--jeff
Daemon
Premium Member
join:2003-06-29
Washington, DC

Daemon to jefe

Premium Member

to jefe
those first three servers that i listed connect on port 80.

I didn't list any of the servers that connect on port 5190, but it's possible AIM is connecting to one on port 80 and 5190.

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

Port 80 is blocked by my ISP. Port 5190 is used by AIM for it's basic function. I have to expect that if I blocked 5190 myself I'd have no AIM.

Glaice
Brutal Video Vault
Premium Member
join:2002-10-01
North Babylon, NY

1 recommendation

Glaice to CalamityJane

Premium Member

to CalamityJane
Dang you, I was about to plug Trillian also!
Daemon
Premium Member
join:2003-06-29
Washington, DC

Daemon to jefe

Premium Member

to jefe
sorry- i meant your computer connects to the first three on their port 80.

arden625
join:2001-07-10
Haledon, NJ

arden625 to jefe

Member

to jefe
Funny...I never had this problem and all of a sudden, I came to this thread and I heard the Matrix Revolutions trailer ad. Stupid AIM!
arden625

arden625

Member

said by "the article":
America Online said it would restrict the number of times a user is exposed to one of the ads to about two per day. Tightly limiting the ads' frequency is an effort to avoid what is known in marketing parlance as "ad burnout," a loss of advertising efficacy due to overexposure -- but also helps to ensure that AIM users don't become overly annoyed.
Eh? I received ONE and I'm annoyed already.

Urge to use ICQLite...rising...

jefe
Premium Member
join:2001-05-19
Northport, NY

jefe

Premium Member

I think the guy who thought up that idea should be shot.

"Overly annoyed?" Give me a break. It took 10 seconds the first time it played before I was overly annoyed.

FWIW, it seems, so far, that uninstalling viewpoint media player and blocking empiremovies.com and xlonhcld.xlontech.net in my hosts file have stopped any further occurrences of this new plague.

--jeff

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL
ARRIS DG1670

pcdebb to jefe

Premium Member

to jefe
said by jefe:
I thought it might've been for a minute, but I now realize it was just a coincidence that it happened shortly after I fired up BBR.

Sorry if I gave anyone the impression that BBR was in any way involved.
this just happened to me as well! I'm not running deadAIM tho. I got no windows pop up from aim or anything, all i had open is an IM window chatting with someone and bbr, i was on an other forum and moved to another one and got the wierd sound. (sounded like a movie trailer?)